- distribute traffic to EC2 instances (single or multiple AZ)
- can detect health of each EC2 instance
- stick user sessions to EC2 instance
- supports SSL termination and offloads SSL decryption
- integrates with Amazon CloudWatch; can see request count and latency
- auto-scaling for EC2 instances
Some common structures:
- Internet-facing ELB serving reverse proxies (ex. Nginx, Lighttpd, Apache) linking to application servers
- ELB to load balance all your application servers; ELB can be used as an internal backend load balancer
Pros:
- fault tolerant by load balancing multi availability zones
- can detect the health of EC2 instances
- auto-scaling
In the following sections, we will demonstrate how to set up an Elastic Load Balancer with SSL.
Obtaining the private and public keys:
Skip this if you have your keys already.
Begin by generating a Certificate Signing Request (CSR)
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
Fill in the following:
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Software, Inc.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.domain.com
Email Address []:admin@domain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- domain.csr
- domain.key
Submit the CSR to the registrar. After your registrar verified your request, it will send you the signed key. If you used GoDaddy, click here.
In the case of GoDaddy, you will get back a zip file containing:
- domain.com.crt
- gd_bundle.crt
When submitting to the Elastic Load Balancer, you will need to convert the keys to the pem format.
Private Key
openssl rsa -in domain.key -textPublic Key Certificate (For GoDaddy, skip this)
openssl x509 -inform PEM -in domain.com.crtCertificate Chain (For GoDaddy, skip this)
openssl x509 -inform PEM -in gd_bundle.com.crt
Setting up an Elastic Load Balancer
In the AWS Management Console (EC2 dashboard), click on Load Balancers on the left sidebar.
Click on Create Load Balancer.
Create a name for your load balancer.
Load Balancer Protocol and Port are the internet-facing interface, whereas the Instance Protocol and Port are where backend instances would be connected to.
Add HTTPS and HTTP like the following:
Remove HTTPS if you don't need it.
Click Continue.
In the SSL screen, fill in the following:
See the section above from how to obtain the private key, public key certificate and the certificate chain.
In the next section, you will be choosing the SSL ciphers.
AES with a key size > 2048bits is the most secure, while RC4 is the fastest stream cipher algorithm.
I use ELBDefaultNegotiationPolicy. Feel free to customize this.
Click on Continue to the Health Check section.
For Ping Path, change it to "/" instead of "/index.html". All the instances this Elastic Load Balancer will connect to will need to have Ping Protocol and Port open in their respective Security Group.
Adjust the other options if necessary. Click Continue.
Select the EC2 instances you want to connect to.
Review your settings and you are done!
DNS for Elastic Load Balancer
You should never create an A record with the Elastic Load Balancer because the IP addresses associated with it can change anytime. Instead, you should use a CNAME record.
If you want to associate the zone apex with a CNAME record, you may would to use Amazon Route 53.
In AWS Management Console, click on the Load Balancer tab in the left column.
Click on your load balancer. Note down the A record in the DNS Name Description.
In Amazon route 53, create your Hosted Zone. Read Using Amazon Route 53 to map a subdomain to an instance for more information.
Click on your desired Hosted Zone. Click on Create Record Set.
In the Edit Record Set panel, select A record for the Type drop down box. Select Yes for Alias. Fill in your Elastic Load Balancer's alias to the Alias Target. Click Save Record Set.
Use any SSL checker online to make sure it's working.
Click on Create Load Balancer.
Create a name for your load balancer.
Load Balancer Protocol and Port are the internet-facing interface, whereas the Instance Protocol and Port are where backend instances would be connected to.
Add HTTPS and HTTP like the following:
Load Balancer Protocol
|
Load Balancer Port
|
Instance Protocol
|
Instance Port
|
Actions
|
|---|---|---|---|---|
HTTP
|
80
|
HTTP
|
80
| |
HTTPS (Secure HTTP)
|
443
|
HTTP
|
80
|
Remove HTTPS if you don't need it.
Click Continue.
In the SSL screen, fill in the following:
- certificate name - Put anything you want. It's just an identifier
- private key
- public key certificate
- certificate chain
See the section above from how to obtain the private key, public key certificate and the certificate chain.
AES with a key size > 2048bits is the most secure, while RC4 is the fastest stream cipher algorithm.
I use ELBDefaultNegotiationPolicy. Feel free to customize this.
Click on Continue to the Health Check section.
For Ping Path, change it to "/" instead of "/index.html". All the instances this Elastic Load Balancer will connect to will need to have Ping Protocol and Port open in their respective Security Group.
Adjust the other options if necessary. Click Continue.
Select the EC2 instances you want to connect to.
Review your settings and you are done!
DNS for Elastic Load Balancer
You should never create an A record with the Elastic Load Balancer because the IP addresses associated with it can change anytime. Instead, you should use a CNAME record.
If you want to associate the zone apex with a CNAME record, you may would to use Amazon Route 53.
In AWS Management Console, click on the Load Balancer tab in the left column.
Click on your load balancer. Note down the A record in the DNS Name Description.
In Amazon route 53, create your Hosted Zone. Read Using Amazon Route 53 to map a subdomain to an instance for more information.
Click on your desired Hosted Zone. Click on Create Record Set.
In the Edit Record Set panel, select A record for the Type drop down box. Select Yes for Alias. Fill in your Elastic Load Balancer's alias to the Alias Target. Click Save Record Set.
Use any SSL checker online to make sure it's working.
No comments:
Post a Comment